Date: Fri, 14 Aug 2015 15:04:03 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: Re: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding Hi, On Mon, Aug 10, 2015 at 11:23:02AM +0200, Martin Prpic wrote: > Hi, > > GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue: > > http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 > > "Kurt Roeckx reported that decoding a specific certificate with very > long DistinguishedName (DN) entries leads to double free, which may > result to a denial of service. Since the DN decoding occurs in almost > all applications using certificates it is recommended to upgrade the > latest GnuTLS version fixing the issue. Recommendation: Upgrade to > GnuTLS 3.4.4, or 3.3.17." > > The upstream patch that fixes this issue is available at: > > https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12 > > Can a CVE please be assigned to this issue? > > Also, there is still no CVE for the issue before this one. The CVE > request was sent on May 5: > > http://seclists.org/oss-sec/2015/q2/367 > > Can a CVE be assigned to this as well? > > Thank you! > > Refs: > rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426 > rhbz GNUTLS-SA-2015-3: https://bugzilla.redhat.com/1251902 Adding explicitly MITRE CVE assignment team to the loop. Can CVEs be assigned for both GNUTLS-SA-2015-2 and GNUTLS-SA-2015-3 issues? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ